Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9.bat

  • Size

    275KB

  • Sample

    240823-czbkratbjl

  • MD5

    536ac91b5fe6a53fd85f5d7b609dc591

  • SHA1

    5fb565c1bec3e386642e921c34ea365fbcb07127

  • SHA256

    ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9

  • SHA512

    b47aeba5a1abdcd8b1b6ba67663fb199fca22a21c1417aa830d042268f6c810b9abf246b964d7dc76497b009f8d54e77c1b0f38e5c775097b9fa15dbd19b748f

  • SSDEEP

    6144:h1E5NlqQRcu+pHfFQS7w1bUyntarmxcGqKxH1279F:h1E5qz9H9T7w1bUotqgRH+

Malware Config

Extracted

Family

xworm

Version

5.0

C2

95.98.144.201:2404

Mutex

JnG5DxKNjDpRvsxT

Attributes
  • Install_directory

    %Temp%

  • install_file

    e45iasd.exe

  • telegram

    https://api.telegram.org/bot6421494903:AAFuoWigwh2-oDYMZFAWqzFsbHJABidzW1Q

aes.plain

Targets

    • Target

      ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9.bat

    • Size

      275KB

    • MD5

      536ac91b5fe6a53fd85f5d7b609dc591

    • SHA1

      5fb565c1bec3e386642e921c34ea365fbcb07127

    • SHA256

      ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9

    • SHA512

      b47aeba5a1abdcd8b1b6ba67663fb199fca22a21c1417aa830d042268f6c810b9abf246b964d7dc76497b009f8d54e77c1b0f38e5c775097b9fa15dbd19b748f

    • SSDEEP

      6144:h1E5NlqQRcu+pHfFQS7w1bUyntarmxcGqKxH1279F:h1E5qz9H9T7w1bUotqgRH+

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks